From d69764ddac6906efd51cb9f6a08a9a3f9f187a58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aleksa=20Majki=C4=87?= Date: Sat, 6 Dec 2025 00:49:20 +0100 Subject: [PATCH] fix readme (#1118) --- README.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index fe24a7a..e9d9a52 100644 --- a/README.rst +++ b/README.rst @@ -123,8 +123,9 @@ As of 3.0.0 the ``$2y$`` prefix is still supported in ``hashpw`` but deprecated. Maximum Password Length ~~~~~~~~~~~~~~~~~~~~~~~ -The bcrypt algorithm only handles passwords up to 72 characters, any characters -beyond that are ignored. To work around this, a common approach is to hash a +Passing ``hashpw`` a password longer than 72 bytes now raises a ``ValueError``. +Previously the password was silently truncated, following the behavior of the +original OpenBSD ``bcrypt`` implementation. To work around this, a common approach is to hash a password with a cryptographic hash (such as ``sha256``) and then base64 encode it to prevent NULL byte problems before hashing the result with ``bcrypt``: